1. Field of the Invention
The present invention relates to an operating system monitoring apparatus (hereinafter, referred to as an “OS monitor apparatus”) arranged in a device such as a mobile phone, personal digital assistance (PDA), personal computer (PC) or information home appliance. The present invention also relates to an operating system monitoring setting information generator apparatus (hereinafter, referred to as an “OS monitoring setting information generator apparatus”) configured to generate monitoring setting information for monitoring an operating system (OS).
2. Description of the Related Art
Heretofore, there has been known a technique for monitoring integrity of a memory and files of a monitoring target OS and then for handling a problem, if it occurs, in a device such as a mobile phone or a PC, by use of an OS monitor apparatus arranged in an environment isolated from the OS monitoring target (refer to US Patent Application 20050132122A1).
The OS monitor apparatus stores monitoring setting information (including a hash value, address, size or the like of a binary of software program) for monitoring the memory or files, as a policy.
According to such technique, a monitoring target OS can be protected from a failure or attack by arranging the OS monitor apparatus in an environment isolated from the monitoring target OS.
In the meantime, when a monitoring target software program is updated for applying a patch program to the program or for adding a function thereto, monitoring setting information corresponding to the monitoring target software program needs to be updated as well to be consistent with a change made in the monitoring target software program.
Taking such need into consideration, there is a developed technique to check the compatibility of a software update package with the software configuration of a device based on the signature verification of the software update package or the device identification information (refer to U.S. Pat. No. 6,832,373).
However, in order to securely and efficiently monitor the integrity or soundness of the OS on the device and to maintain a normal operation, the following tasks must be accomplished at the time of both updating and operating the program (a so-called run-time).
(Tasks at Update Time)
One of the tasks at the time of update is prevention of monitoring setting information from being updated by unauthorized monitoring setting information, or by monitoring setting information that is not consistent with the updated software program. The former that is the prevention of monitoring setting information updated by unauthorized one can be checked by use of a digital signature or the like. In order to prevent the latter, however, the following tasks must be accomplished.
A first task is prevention of an inconsistency caused by a failure in updating the monitoring setting information between the updated software program and the monitoring setting information.
Specifically, when the update of monitoring setting information corresponding to the software program fails after the software program is already updated, an inconsistency occurs between the updated software program and the monitoring setting information whose update has failed. In this case, it is difficult to restore the updated software program to the original state due to the limitation of a storage capacity.
In this case, when the device operates in such an inconsistent state, an anomaly state is detected by the OS monitor apparatus, the device is reset and becomes unusable, and a functional restriction is imposed on the device or the like. These are problems reducing user usability.
A second task is prevention of an inconsistency between the software environment in the device and the monitoring setting information.
Specifically, suppose a case when the monitoring setting information is generated under the condition that there is an inconsistency between monitoring setting information and the software update package. In this case, even though the updating of the monitoring setting information succeeds, the inconsistency between the monitoring setting information and the updated software program occurs. Accordingly, there occurs a problem that the monitoring by the OS monitor apparatus fails.
Furthermore, in a case when the monitoring setting information is updated independently of the update of a software program, it is necessary to check whether or not the updated monitoring setting information is consistent with the software environment in the device. If the monitoring setting information is updated while the updated information is not in conformity with the software environment in the device, there is a problem that an inconsistency occurs between the monitoring setting information and the software program.
A third task is prevention of monitoring setting information from being replaced with old monitoring setting information.
Specifically, here, consider an attack to a situation where new monitoring setting information already exists as a result of update. In this situation, the attack is made to replace the new monitoring setting information with the old monitoring setting information. In this case, such an attack cannot be detected by digital signature verification. This results in a problem of generating a threat to cause the monitoring target device to operate in accordance with the old security policy.
(Tasks at the Time of Operation)
There are following tasks at the time of operation, in terms of updating of monitoring setting information and of an increase of efficiency in the updating of monitoring setting information.
A first task is handling of a software program whose arrangement address is determined at the time of operation.
Specifically, as to a device driver or the like dynamically loaded at the time of use, an OS monitor apparatus needs to be notified, by the OS, of the arrangement address of the device driver or the like at the time of operation. There is, however, a problem that a compromised OS is likely to forge information (does not provide truth information).
A second task is a reduction in overhead.
Specifically, when reducing the amount of overhead related to the aforementioned monitoring, it is necessary to consider a trade-off relationship between security maintenance and a measure for preventing the aforementioned monitoring from a response speed or from increasing battery consumption.